327 comments

[ 2.6 ms ] story [ 273 ms ] thread
I wonder if Apple uses any data from the Shortcuts app when deciding what features to build next
You mean Apple is tracking their users behavior? Impossible!
I also thought about this, because this is an exact shortcut I have already and use constantly, everywhere it is in my Share Sheet
I wonder what companies will do now, probably embed the tracking information within the URL without using parameters, like dynamic URLs that are unique to a particular user/cookie?
I could see the writing on the wall. Offerup I think does this. If you click through an item in a search the URL has a UID in it. Then if you click on the seller and find the item from there, its an integer (which is likely a database index).
There's not a whole lot that can be done to combat this, but I suppose Apple could do something like keep a database of known tracking URL patterns and when encountering such URLs, "unwrapping" them in an isolated background webview which is fully generic across machines and doesn't have the user's cookies or other data, which would limit the information gathered, and then finally passing the untracked URL back to the user's webview instance.

EDIT: They could also do something similar to what they've done with Content Blocking Extensions, maybe call them "URL Cleaning Extensions", which allow third parties to maintain tracking URL pattern lists which Safari can then follow to do its unwrapping.

Already ahead of you. They're already generating custom links with all the tracking parameters embedded. Tumblr, TikTok and Facebook have done it for a while now.
Yeah, all you need is to encrypt the URL (which includes tracking query parameters), and then the URL you give out is the encrypted blob.

When the web server gets a request, it can validate & decrypt, update any tracking values, and redirect to the real URL.

Historical patterns with Mail.app on iOS suggests that Apple will simply code something that fetches all such links in order to collect a preview, whether or not the preview is ever shown to the user, just as they do with Mail.app images today when iCloud Private Relay is enabled. At which point the tracking value becomes less than zero, because it pollutes the core dataset attribution “a human saw this”.
Tiktok does this. If you share anything on Tiktok, and someone clicks on the URL they get an alert "purpleblue shared this video with you!" and you can leak your private account to someone.
There is a TikTok setting to disable this. It still tracks you as the origin of the share action (naturally), but it’s hidden from the receiver.
I often remove tracking parameters from URLs and I notice that some services/websites return an error if you visit it without a tracking parameter. If a service does this, apple can't remove the tracking parameter from the URL any more.
They're already doing it. I stopped clicking on links the second I realized this.
> As a partial mitigation, Apple is enabling an alternative way for advertisers to measure campaign success, with Private Click Measurement ad attribution now available in Safari Private Browsing mode. Private Click Measurement allows advertisers to track ad campaign conversion metrics, but does not reveal individual user activity.

While as a consumer I do objectively like the privacy measures Apple is adding, at end of the day they're simply consolidating all tracking power to themselves.

Private Click Measurement is a standard that Apple has proposed and is working with the W3C to standardize, as well as working with other browser manufacturers:

https://webkit.org/blog/11529/introducing-private-click-meas...

Ah yes, the AMP strategy.
Exactly what people say they should have done with FaceTime, right? So, which one is it? Should they do it or should they not?
If they were really working with standardization, they'd wait ...
Are there any examples of using that approach in the history of web browsers?

I thought that mostly boiled down to “IE/Netscape/Chrome/…” implements it, and if enough browsers implement it, we’ll document it as standard”

No they wouldn't. I can't think of a single thing in any browser that was implemented after a standard was created. It's always been driven by one browser just doing a thing, then other browsers do it slightly differently, then the standards body comes together and they settle on the-one-true-way and everyone updates their support to match the standard.
[flagged]
Lol ok let me say "most everyone mostly matches the standard" :)
Oh, the boundless optimism. How cute.

Oh, pointless condescension on the internet. How cute.

It very much used to work like this, pretty much exclusively.

More recently, though (especially, the last couple of years), browser vendors work very closely with standards groups, contributing there, and looking for feedback from other browser vendors. At least in the CSS and JS space, the extensions to those standards have proceeded largely as a group effort rather than as you described.

There's pretty much always implementations, but it is a huge headache when people rely on behavior which is not yet stable.

The browsers have started to first ship things behind feature flags, and in Chrome's case also behind "Origin trials". We just have less need now for one browser to go off and define their own way for borders to be drawn as rounded rectangles.

I suspect we'll see some funky CSS extensions ship pre-standardization for VR headsets, though. Things like controlling the z-axis height of <dialog> and other elements.

Becoming a standard requires independent, working implementations. So this is very much part of the process.

https://www.w3.org/2021/Process-20211102/#implementation-exp....

It doesn't require them to be inflicted on all of the internet. And it most definitely doesn't require you to go ahead and redirect a huge chunk of ad income to yourself while "processing" the standard.

This is somewhere between anti-consumer and stealing.

> It doesn't require them to be inflicted on all of the internet. And it most definitely doesn't require you to go ahead and redirect a huge chunk of ad income to yourself while "processing" the standard.

I can't quite figure out who or what in particular you are talking about.

If the original topic, Apple/Safari do not charge for private click measurement, and Apple does not have any significant advertising platform for the web.

There are other more controversial uses of the technique - mobile game SDKs used tracking identifiers and other techniques to try to measure conversion and associate it to a persona, which Apple shut down with ATT. Apple added a PCM-like technology at about the same time so that advertisers could get broad metrics on advertising programs and conversion.

This is different/separate from more controversial uses, such as blocking in-app advertising/install conversion metrics and persona building. There, Apple _does_ have some competing interest in terms of the App Store ad platform.

Wait until Google implements something and shoves it down everyones throat in Chrome and then has all the Google fanboys claiming that its the best thing since sliced bread and thus should get implemented by every other browser just because Google did it?

That's how we ended up in the situation where Google shipped U2F, sites implemented their implementation and then when the standard WebAuthN was built it was not compatible so sites had to be updated to be standards compliant, and it took a while to do so.

Or when Google added WebP without clear consensus. Or when they added FLoC or Topics API, or whatever else they have cooked up. Or things like WebUSB, WebMIDI and others?

There's a glut of Chrome only sites out there, and it continues to grow as web developers test just on Chrome but not the other browser engines. It's turning into the next IE 6, I remember the time there were a lot of "Made for IE 6" logos and graphics on sites and they did not render well or at all in Netscape.

"dearth" means "lack" or "scarcity". I think it's the opposite of what you meant.
You are correct. Edited and replaced the word with glut. Thank you!
As much as the locking down of iOS is annoying for everybody technical, we should be somewhat thankful that Apple has ensured a large population of mobile safari users.
Except in every thread about iOS or Safari are a ton of people crying for real Chrome on iOS because Safari is the new IE 6 holding the web back by not implementing the new WebDogCam4 “standard” Google pushed out 2 days ago.
Honest question: do you think Apple is holding back the web?
Apple is holding ChromeOS back, which is what the Web will turn into if Google has free reign.
The mention of “the new WebDogCam4 “standard” Google pushed out 2 days ago.” didn’t register as sarcasm with you, huh?
Chrome is not "the web."
To a ton of people (including developers), it is. Therefore anything that’s not Chrome or 100% compatible is “breaking the web”.

No one is forcing a Chrome hegemony on us. Developers are choosing it.

Those developers will always, ALWAYS cater it iOS - where the money is.
... and they'll do this by having their mobile team create an app, and making their website refuse to work on iOS by user-agent string.
This is something that lots of people complain about but somehow I never experience. Not to doubt it—I’ve seen the complaint enough that I believe it—mostly I’m just confused as to how I’ve managed to dodge the problem.

Firefox and mobile Safari, so I guess I should experience it…

Hmm, many google web features not-so-subtly nudge you to install Chrome. Some outright block usage of anything other than Chrome. This has been going on for well more than a decade.

I regularly see small/medium websites which state they only work with Chrome, but I feel they do so at their peril.

I see some of those sites push people to install a "desktop app" if you do not use Chrome, which is of course an Electron-based app.

I also regularly see services that just fail for long runs of time on non-Chrome browsers due to complete lack of regression testing, or (slightly more generously) because they aren't testing their services against current releases of Firefox/Safari. Safari is more sensitive to this, both because of a much more active development tick compared to Firefox, and because it is leveraging system frameworks rather than a relatively static compatibility layer 'buffer'.

Nope. Not at all. I think they’re doing great. Most of the stuff I see complain about here on HN are features I’m not sure should exist (web push notifications, hardware access), uBlock (there are other options), and some PWA stuff they’re doing but I do t think there is anywhere near the call for from users some developers think.

If Safari was as bad as so many claim it would have next to no desktop market share. But despite Google pushing Chrome at every opportunity tons of people like my self prefer Safari.

Apple has different priorities for Safari than Google does for Chrome. That’s fine. My priorities match Safari far better, I’m perfectly happy with how they’re doing things.

Actually Chrome is the new IE.

Many forget that Microsoft was introducing many incompatible standards, and only let IE stagnate after they won over Mozzilla.

Safari isn't the one turning the Web into ChromeOS.

^ This, 100%. Chrome is by far the bad actor, and not only that, Safari is arguably the better browser even if strictly looking at "support for web standards" (but in many other ways as well).

The vitriolic hate it gets in many threads are completely misguided and likely the result of years-old opinions on it. In the last 3 years Safari dramatically accelerated development, leapfrogged Chrome in performance to a staggering degree, and basically became close to an ideal browser.

And nearly every so-called standard people point to to "prove" Safari is lagging behind is almost always just something Chrome pushed out without any consensus.

It's funny because I think the hate comes from Webkit being forced on iOS, but it often comes out as "Safari sucks it's the new IE" which is pretty much the opposite of true and undermines the point.

Safari used to be "the new late-IE" a few years ago. It lagged significantly behind other browsers and it kept intentionally holding back support for open standards and codecs, forcing websites to make Safari-specific workarounds whenever you wanted to do basic things (I had to write scripts to transcode Vorbis to MP3 when deploying a web game just so it could have sounds on Safari, for example).

These days Safari gets better indeed (through it's still a PITA in some areas), while Chrome is clearly "the new golden-days-IE" - which long-term is probably much worse than Safari could ever be.

As someone who grew up with mp3s, your example seems interesting because it seems like an example where you had to encode from something obscure (ogg) to the closest thing to a “universal” sound format as wav could be: MP3.

In that case doesn’t it seem like Google took an ideological stance by choosing a non-patent-encumbered codec instead of supporting mp3? And they could do it because of their dominance? Or is that not accurate?

Vorbis was ubiquitous on the Web way before Google had such influence over it as it has today, and MP3 was absolutely nowhere near universal. Firefox did not support MP3 for a while, and even once it did it relied on system codecs - and many distros didn't ship with MP3 support by default until its patents expired a few years ago.

Choosing non-patent-encumbered codecs for open standards is as much ideological as practical.

I’ve never seen Vorbis and ubiquitous in the same sentence. Besides Mozilla, who had Vorbis native support in their browser?

In practice, MP3 has had support on every platform since the mid 90s. I could probably count the number of times I’ve come across an ogg file being distributed on one hand.

> Besides Mozilla, who had Vorbis native support in their browser?

Pretty much everyone who implemented HTML5 audio for a few years, while MP3 support in the browser was initially barely heard of? Mozilla, Google, Opera, KHTML, WebKit... Safari and IE were the only outliers, and had tiny minority of market share for a while (not counting versions that didn't support HTML5 audio at all). Today only mobile Safari is still an outlier.

You couldn't use MP3 without Vorbis fallback on the Web for about a decade. Whenever you played audio in the browser without using Flash on anything else than iPhone, chances that it was Vorbis were very high for a good while. YouTube used it in WebM before switching to Opus. In fact, even AAC gained reasonable support on the Web earlier than MP3 did.

In practice, although very popular, MP3 was nowhere near universally supported until just a few years ago. I know that pretty well - I have posted patches to some projects that enabled MP3 support once its patents expired myself; I've also used to maintain websites based on HTML5 audio since 2009.

I had a portable "MP3" player that natively supported Vorbis long before HTML5 was a thing.
In what alternative universe?
Non-patent-encumbered and standard are not the same thing at all. Platforms do not want to ship support for esoteric formats, and will fight back against adding anything not needed for long-term interoperability - for examples, see JPEG XL drama lately in Chrome.

This is for maintainability/security surface reasons as well as patent risks, as open/closed and standardized/bespoke axes have nothing to do with whether or not something is patent encumbered.

Hmm I find browser plug-in support limited. Can safari run ublock origin?
I haven't seen anyone re-evaluate it since Safari added Web Extensions on Mac and iOS a few years back.

Most likely not for same reasons ad blockers were freaked about Chrome's Manifest v3 push - browsers are trying to optimize away the latency from a massive synchronous javascript-based list check on page load, and the privacy risk that comes from these extensions having exposure to every page (and injecting their code into every page). Conversely, the web extension authors don't see the set of limitations as feasible.

But it is odd that uBlock Origin doesn't seem to have even issued a public-facing statement of even evaluating the functionality that is there in Safari.

No. Apple doesn’t let plugins hook in so much because the plug-in ends up seeing a ton of data about what the user browses, and they can slow the browser down if badly written.

Apple lets plugins provide lists of elements/css/IPs/etc to block. Safari processes them and is able to block stuff based on that extremely fast and power efficiently.

There is flexibility lost. Plug-ins can’t see which rules are/aren’t hitting. You can’t filter based on the content of a request.

So there are ad blockers, and they work well. But uBlock, as it works elsewhere (I know it’s considered the best), isn’t possible due to the trade offs Apple chose.

This isn’t true anymore, there are numerous ad blocking plugins that do the extensive blocking just like uBlock. May not be as good due to less active community, but the capabilities are there and a few of them are quite good.
Oh I fully agree. It that’s not the comments that come out of the woodwork.

“New IE” seems to mean “browser I don’t want to bother with”, not “browser with an iron grip over web standards”.

I'm very technical and not remotely annoyed by iOS being locked down. It would be like being annoyed the the SUV I bought isn't a sports car.
That's a pretty poor comparison, a lot of the Android vs iOS debate is more akin to buying a sports car and then finding out it won't go more than 50km/h outside of your own country.

Back before flagship prices inflated (due to Apple) people buying a $1k iPhone couldn't do something as simple as use a different keyboard. And of course the product is advertised as advanced tech, yadda yadda.

There's been a spate of things, custom keyboards, wallpapers, multi-tasking, installing apps from a store rather than built-in, home/lock screen widgets, default apps for certain files, PiP, app drawer, and so much more.

I don't consider companies being inspired by/adding features from the other, it's not theft when it's a good idea (unless it's Apple's, then you get sued). But for them to market the way they do while taking so long to add basic things like these, it's just ugh.

Keeping in mind, of course, there are plenty of people who won't turn off the TV because there's nothing on that they want to watch; they'll just pick the channel that is the least bad.

"Made for IE 6" -- TRIGGER! I remember back in my design days all the IE specific overrides for proper rendering.
That's how nearly everything that is now a web standard came about. The web standards groups generally don't want to even consider something for standardization until someone has actually implemented it and deployed it.
I for one see the turning of Web into a sandboxed OS as an improvement, even if it’s lead by Google.
I don't understand what's preventing me from manually removing these URL parameters as well, just like I currently do with UTM params when I copy/paste something into a chat app.
It's about clicks instead of sharing it. So it'll strip it when you click it, instead of copying the link, pasting it, then stripping and hitting enter. Workflow optimization basically :)

Also, more privacy by default seems like a good thing, not everyone understands URLs.

I would like this capability on any home router/cable-modem/FW
That would be neat. I suspect the browser and/or OS would have to be aware of it though, in order to cooperate, in which case why not just have the browser/OS implement it?
With HTTPS it cannot read the URL query params
Not saying it's practical but you could add your own CA on each client device and the router MitMs.

Or, e.g. you can set a flag when building Firefox that will store the secrets necessary to decrypt those packets, and the client sends the secrets to the router which sniffs and decrypts on the fly.

You can, but these sorts of setups have historically been bad about evaluating the upstream certicate/CA chain for validity, and for things like proper certificate transparency.

This might be something a web extension could do, though.

It's a convenience feature. Manually cutting parameters out of a huge URL is a pain, and this feature might help to remove that pain. Nothing stops users from continuing to do it manually when they cut and paste URLs.
It'll be interesting to see how this goes. Google and Mozilla+Meta each have competing standards.

https://github.com/WICG/turtledove

https://blog.mozilla.org/en/mozilla/privacy-preserving-attri...

To my knowledge, Mozilla's design is the only one where someone other than the browser collects & reports on click activity, and with a fairly trustless anonymizing double blind strategy for those intermediaries.

Mozilla isn't in the advertising business. Hell not being a trillion dollar company earns them my sympathy.
Mozilla is in whatever business Google pays them to be in.
Yet here they are doing the saintly work of adding real trustless privacy.
Saintly work would be telling the advertising industry to get fucked not finding ways to help them.
(comment deleted)
Without the online advertising business Mozilla cannot survive. As such, they advocate for preserving the online ads business. They partner with an advertising company. And they derive profit in return.

Opinions may differ, but to me being an advocate for it is no better than being "in" the advertising business.

(Not to suggest Mozilla is worthless. Far from it. I use Firefox on mobile, although I use a browser sparingly.)

(comment deleted)
"Let's fight tracking by embedding tracking in the core of the browser" yeah, great idea.

But I'm sure W3C will bend over as usual

From the link:

> Websites should not be able to attribute data of an ad click and a conversion to a single user as part of large scale tracking

I'm curious, do people generally care about this specifically, or is it the sharing of this information with third parties that's the problem?

I run Firefox with in-built privacy protection enabled and uBlock Origin. However, I'm not doing so because I want to stop the websites I frequent knowing which email of theirs I clicked. My concern is when they share my data with other parties whose services I'm not explicitly engaging with.

Attributing data to a single user is what allows 3rd parties to amass a detailed profile of you (by looking at all your data from many websites that all share with the same 3rd party).

I doubt people are educated enough to care about this specifically, but the tech industry should care.

Of course they can only do this because of their cult-like ecosystem and hugely inflated prices for hardware, software and services.

Without those sources of revenue, well, Apple would turn to data and whatnot too. Was only a while ago that Apple first switched on to the "private and secure" as a selling point, because much of their competition relies on it.

I think we can maybe expect other large tech companies to follow suit, not make money from data/advertising and instead raise their prices, wall their ecosystems as much as possible. Advertise tablets as "not computers". Come up with buzzy marketing stuff like "retina" for every little detail of their products.

This is completely wrong. They are saying they only don't strip PCM parameters because these are anonymous and somewhat privacy preserving. Apple is still uninvolved in the link attribution or other tracking here.
This is a very important revelation for people to have: the deal with Apple is they have complete control over your identity and data. It's slightly better than the deal with Google, FB, & Microsoft where they both control and sell your data to the highest bidder.

Apple's position on privacy is somewhat of an illusion and could disappear whenever they decide. Remember the CSAM debacle? https://www.wired.com/story/apple-photo-scanning-csam-commun...

I still think Apple is doing the best in the marketplace with respect to security and privacy, but if we're being honest they're playing the role of benevolent dictator.

The thing is, the terms-of-service they give you that you agree to. That thing everyone skips. In it, Apple specifically says they don't track you or sell your data (but as you say, that could change). This is why when they do have any breach of that agreement...like when they said that some humans listen to Siri requests to make sure it's being accurate, they were sued for it. People hold their feet to the fire over anything they may flub. And since Apple doubles down on saying they're the best at privacy, more and more people are chomping at the bit to sue them or call them out on it. They have to tread carefully.

Google and Microsoft on the other hand blatantly say "yeah, we look over your shoulder at everything you do on the Internet...you know, to "help" you find what you're looking for or to feed more of it to you. And also, our advertisers would be very interested too". I mean, read THEIR TOS and marvel at it.

Of all of them isn't Google the only one that is actually incentivized to keep the data they get on you to themselves, because of their business model? It sounds bad for Google when they sell their data to others, so they'd feed a competitor for personalized ads. I might be wrong tho.

It's obvious, but I want to make clear, that this doesn't make Google less scary or more trustworty. Avoiding Google is still advised imo.

edit: replace "private" with "to themselves"

Right as I understand it at least. Google's business model has never been to sell your data, despite how persistent that idea seems to be. Your data is Google's most valuable resource and they should be extremely motivated to protect it.
Google's primary interest is in building a relationship with you so it understands the kinds of information you want, and can sell people on preferential order of getting information to you.

They are primarily an information marketplace, and offer people free services so that they'll participate in that market.

Their secondary interest is in things like Adsense and in products like Doubleclick, which are where you worry about tracking and them building a behavioral persona of what you do across the entire internet.

However, Google doesn't need to even see this persona themselves - they just want to get the best ads in front of you to make marketing departments happy. Ideas like "privacy sandbox" are partially driven by this desire - give Google the value of gathering and correlating existing data and more, without the brand impact or risks of holding that data themselves.

The thing they give up is the ability to do cluster analysis across people/demographics to understand where and why an ad is performing. Targeting of advertisements remains a manual process and not a machine learning driven one.

Can you clarify “don’t track you”? Apple charges its advertisers for ad clicks and reports the conversion rate, so whether you make a purchase after clicking one of their ads is definitely tracked (conversion is the main big money tracking data point that Facebook and Google care about).
Reporting a conversion rate is not the same as reporting that _you_ as a particular user converted.

For advertising to remain a viable way to support portions of the web, advertisers need to understand the effectiveness of their programs and marketplaces need to understand the exposure.

Specifications like PCM are competing mostly around how to provide that, although there are also efforts to sandbox local personas to make ad presentation decisions on-device. Personally I'm not so much against those efforts, as it doesn't seem like a betrayal for my web browser to try to select information it thinks I'd more likely care about - as long as I can also choose how/if it does so.

> For advertising to remain a viable way to support portions of the web

I'd rather advertising NOT remain a viable way to support portions of the web

The amount of false information in this message is staggering. Apple never said they won't track you. Apple specifically says they collect this data[1]:

> Usage Data. Data about your activity on and use of our offerings, such as app launches within our services, including browsing history; search history; product interaction; crash data, performance and other diagnostic data; and other usage data.

> Health Information. Data relating to the health status of an individual, including data related to one’s physical or mental health or condition.

> Financial Information. Details including salary, income, and assets information where collected, and information related to Apple-branded financial offerings

Also, Siri hadn't been sued for breaking TOS AFAIK, but they were sued for leaking health records which they couldn't even after getting permission from the user. Also google selling user data is largely a myth.

[1]: https://www.apple.com/legal/privacy/en-ww/

> Apple never said they won't track you. Apple specifically says they collect this data[1]:

Indeed. Apple's concerns are about "third-party" tracking, e.g. multiple parties sharing information about you and building a persona without your awareness or consent.

They fully _expect_ users to build first-party relationships, such as having Apple understand, save, and perhaps provide insights or fraud detection around the transaction log of your usage of your Apple Card.

This is why Google's reaction to App Tracking Transparency was to effectively say "we'll be fine, we have lots of services, and we might push people to log in for features." This is also why Facebook's reaction was to freak out - because they had no legitimate relationships on which to base their web surveillance advertising product on, especially when it was being used to select advertisements for non-Facebook-users.

For first party relationships, the App Store has "privacy labels", to document the data you collect, save and share with processors. Behavioral information is around sharing correlating factors that would be used for third-party tracking.

Google doesn't sell your data.

It allows advertisers to bid on you.

Apple will do the same thing.

Google also collects your data outside Google owned experiences.
Apple already does the same thing. Apple Search Ads is not limited to the same restrictions that Facebook and Google are with regards to iOS tracking and reporting for advertising attribution.
Remember that Apple's "debacle" there was to comply with US law. Their issue was that (at the time) they were responsible for encrypted data backup's contents. So they could either scan on your device before backing up, or scan on the cloud. Scanning on your device, while it sounds scarier, actually offered more privacy protections, because otherwise their cloud needed to see your unencrypted data. And it only scanned on your device if you wanted to move things to the cloud.
This is false. Apple already scans everything on iCloud for banned material serverside, as iCloud Photos and iMessage are, for most people, not e2ee, and never will be so long as e2ee is opt-in.

Even if you enable the e2ee features rolled out in the last 12 months, your iMessages are still not e2ee unless all of your conversation partners have as well.

Also there is no US law demanding scanning of user data, your opening assertion refers to nonexistent requirements.

It's more about proposed EU laws than US laws.
Basically every claim in your comment is wrong:

* iCloud Photo Library was not scanned for CSAM content at the time of the announcement, which Apple confirmed at the time.

* iMessage E2E encryption is not opt-in. There isn't even an opt-out.

* The "E2EE features" you might be referring to is Advanced Data Protection for iCloud Backups, which is not related to the iMessage protocol at all. You don't have any guarantees about what your recipients are doing with the data you send them, ever.

There is US law which is ambiguous about the requirement on data providers to check content for CSAM material, which many have interpreted to require a check. This is why every other major cloud provider does scan for the content.

> iMessage E2E encryption is not opt-in. There isn't even an opt-out.

This is incorrect. iCloud Backup escrows endpoint keys for "Messages in iCloud" to Apple every night in a non-e2ee fashion, which means that a non-endpoint has the keys, which means that iMessage is not e2ee.

Apple has real-time access to plaintext of almost every single iMessage that transits their service. The only case in which they don't is where both users either don't have iCloud Backup enabled or both users have enabled e2ee iCloud Backup.

> Google, FB, & Microsoft where they both control and sell your data to the highest bidder.

Can we please keep this nonsense to lower quality sites like reddit? I like to pretend hacker news hasn't degraded this far yet.

While not technically correct "sell your data to the highest bidder" is close enough to what Google and FB are doing, and the distinction is irrelevant for most people.
Please expand, and perhaps explain how Apple is different.
Ad networks are running realtime bidding for ad space already in case you didn't know.

At the very least Google and FB got punished for doing that already in the past

The PSI system was pretty cool in my opinion. It was a very neat algorithm for obtaining information about set intersection in a privacy preserving way.
Where do I buy FB, Google and MSFT user data?
Yeah whenever I see "Privacy" segments in their marketing, it's hard for me to avoid thinking of it as "Here's how our anti-competitive moat works."
Ah yes, the web which is dominated by checks notes not-Chrome.
As a consumer. I don't care. I'd rather Apple be the only ones with my data. Advertisers handed Apple this power by spending the last decade being as abusive as technically possible. I hope Apple shuts down the entire industry.
> I'd rather Apple be the only ones with my data.

This was the same attitude that led Google where it is now. "Don't be evil" was really believed and accepted by huge part of their users, and compared to the sheer evil of Microsoft they sure looked like the better alternative.

> I hope Apple shuts down the entire industry.

On Apple's relationship with the ad industry, I have bad news for you.

Anything an advertiser can track, they will use where they can to build a profile of you to identify you uniquely for targeting. Apple allowing ANY tracking measurements through incognito that isn't already naturally happening by the nature of incognito is too much.
Here is my take: Apple is being pro-privacy to lock-in consumers to their products But they are nowhere as untouchable as they seem to think they are wrt to anti-trust laws. So, let them, in their arrogance, destroy surveillance-capitalism and get destroyed themselves for being uncompetitive. Let the beasts of greed eat each other.
> ... at end of the day they're simply consolidating all tracking power to themselves.

1. I'm still learning about 'private click measurement'. Does it reveal extra information to Apple? I would hope it is designed as a truthworthy protocol where cheating, even by Apple, is hard.

2. Welcome to another arms race: detecting and removing identifiers versus hiding them or using alternative mechanisms.

If Apple is taking on this challenge, do they have theoretical reasons to be optimistic? Practically, how well are they doing?

Update: this thread has a lot of comments on the "cat and mouse" game: https://news.ycombinator.com/item?id=36244899

Yes they are. And they know it. Apple knows it. Microsoft, Google and Amazon all know it.

Privacy and security is the most scalable, reliable way to locking users in and stifling competition behind a lot of marketing about "protecting" users.

How does it determine what is a tracking parameter? You can often pass a string along in the URL because you're trying to call a function or pass simple data between pages.
Or maybe it's a recover password link that you've been emailed, with an auth token.
Exactly what I was thinking, I've had false positives from uBlock thinking anything with /tracking/ in the URL was telemetry (when it could for instance be tracking of postal goods).

Unless they keep an up to date list of known tracking parameters I assume this will just become a cat and mouse game or advertisers will find other ways to obfuscate the tracking.

It’ll always be a cat and mouse game but I imagine that, even if they simply strip out utm_x parameters from the URL, there are enough websites out there that won’t update their Google analytics script to work around it.
The lowest-hanging fruit would be nuking any UTM-related tracking parameters (https://en.wikipedia.org/wiki/UTM_parameters). I'm sure the solution is sophisticated beyond simply handling these, though.
Right... but Google and Microsoft already let you customise the names of query parameters containing tracking information - I can call the Google Click ID parameter "dave" if I want to.
And the walls around the Spaceship are raised another few inches
Massively useful just because I do this manually already when sharing links.

However, could become an arms race where we start putting correlation IDs in params named page= or video=.

TikTok already does the latter iirc.
I believe you are correct. I don't use tiktok, but when someone shares a link with me the page says "XXX wanted you to see" and the url has no obvious query parameters so I can only assume they're bundling the video id with who shared it.
I don't think there is a foolproof way to tackle this.
Yeah this is a very naive and somewhat potentially harmful measure. Think of all the old .asp and .php websites that basically route you to a page by just throwing a big old fat query string into the URL.

The way this can be bypassed is:

Before: mylink.mydomain?tracking_id=abc123 After: mylink.mydomain/home/abc123/

Yeah, it might wreck SEO. But if you're really trying to track users and see who clicked on your email or whatever, it's probably the case that you don't care about SEO in this specific case.

It doesn't blanket-remove query parameters
There is some kind of blanket-remove bug with bookmarks. Try bookmarking a URL with query parameters in Safari on iOS. I don't know if it happens with every URL, but with this one[1] specifically, it drops the query parameter from the bookmark. You have to go add it in manually by editing the bookmark afterwards. I wonder if it's motivated by the same kind of change as this article is about, or if it's a separate bug. (I haven't tested this recently, but it was true as of late last year.)

[1] https://www.twintown.com/collections/acoustic-guitars?sort_b...

That's likely due to the page having a canonical URL meta tag:

  <link rel="canonical" href="https://www.twintown.com/collections/acoustic-guitars"/>
I mean presumably they have some decent heuristic for what are "user-identifiable" parameters.

But I don't trust that heuristics works for every query parameter for every website on the internet.

Here's one: Imagine you run a small website and send signup confirmation emails. Suddenly, 20-30% of your users can no longer complete signups and you have no idea why. Oh yeah, our URL is:

mysite.foo/signup?uid=139191238123.

And apple filtered out the uid parameter.

This is exactly what I am afraid of, we use url query parameters heavily to prefill forms for our employees and clients, think online training and service agreements. This will break a lot of our operation.
"This will break a lot of our operation"

》 For safari users 》 Until apple own the internet so the site is forced to adapt.

It breaks the web. There are literally no real rules on how you use them, so you have a lot of things that will be confused with tracking (gclid,clickid,campaign, etc). Even stuff that was originally tracking gets re-used. I've worked on systems where utm_medium=web and utm_keyword=socks were used to literally query the landing page for the user and effectively were the U in URL.
If companies try to hash the direct and referral link into a single link (or use a redirect link). Apple could visit the site internally, return the actual, tracking-free webpage, and forward that to the user. This would mean the referral link is actually just tracking how many times Apple decodes it and would devalue the use of a referral link since it would just be reporting "how many times this link was forwarded" and not "how many times this link was clicked"
Yup. Same way Gmail neutered tracking pixels in emails back in the day. They open each one as soon as the email is received, rather than when the recipient opens it.
Why do the people even want the internet anyways, they like getting everything from apple
That is a MUCH larger investment than shipping some client side code though.
Good for PR, practically useless against tracking.
It’s not all or nothing. It does improve privacy.
I'd assume it hinders it actually. It doesn't accomplish anything and you can tell what additional information about the customers device based on some parameters being stripped.
So does this mean that something like example.com/password-reset?token_id=2h2GV4nhySERT9pJ may get the random token stripped?

I don't understand how you can have a heuristic that doesn't break things.

I use a Firefox extension for this same purpose. They maintain a large database of known tracker parameters and strip them. This means occasionally a new or unknown one slips through the cracks, but overall is very effective.
Won’t the tracking companies work around this by providing each account their own set of unique obfuscated tracking names and keywords that gets mapped back behind the scenes? Impossible to build a database that way.
Probably one day, yes. And then the cat and mouse game will continue.
Not one day. Facebook started this practice a year ago.
Or simply generate a whole new URL with an UUID for every share.
I assume it only blocks known tracking. Using lists, similar to how content/ad blockers work.
That wouldn't work - people would just start giving their query parameters different name, e.g. instead of "gclid", it might be "dave".
I use an addon called NeatURL that strips out tracking parameters.

It has a specific blacklist of parameters to strip. In the several years I've been using it, I've only had two websites break from it, both being legit surveys that I needed to take.

I use uBlock Origin on Firefox on Android with "Actually Legitimate URL Shortener Tool" added but am weirdly conflicted on this news. If a user opts to kneecap advertising, that is soundly within their rights. If a company does the same against another company's advertising as a part of their normal business, I feel like the user becomes a pawn in some corporate warfare strategy.

Maybe it's because I think Apple is slowly building a parallel advertising ecosystem that is slightly less intrusive for users but massively more lucrative for themselves.

"I feel like the user becomes a pawn"

A company that makes a 30% cut on apps using customers as a pawn to make a worse browser experience pushing people into using app store apps?

Nothing is "less intrusive"... it's simply Apple making sure they get a larger cut of a larger market.

It's also why they enforce a shitty Safari unto their customers instead of allowing real browser choice. They are the new MS bundling shitty software to harm competitors and limit consumer choice.

Google also takes a 30% cut on apps. Microsoft takes 15% on Windows apps. Would that mean that Google and Microsoft are doing the same thing?

And while Apple does require Google and Microsoft to use WebKit for their iOS browser apps, it's a rendering engine. And you can set Chrome/Edge as defaults on both iOS and macOS.

Tell me how this limits real browser choice.

> Tell me how this limits real browser choice.

How does Mozilla implement extensions on iOS >_<? It is much more than the rendering engine they are forced to use.

Chrome doesn't even let you install extensions on Android. And for Firefox on Android it's a buggy workaround that doesn't even work half the time. This isn't just an Apple thing.
Wait, how is Firefox for Android a buggy workaround? I use it exclusively, with uBlock Origin, and it works great,every single time.
That's one extension, there are thousands that may or may not work. It was buggy the way Firefox used to handle extensions. The current Firefox extensions are ones that are made specifically for Firefox on Android, they're not direct extensions for the Chromium browser. It's another silo'd set of extensions separate from Chrome.

So iOS allows extensions only for Safari from the App Store. Android Chrome doesn't allow extensions at all. Android Firefox allows some extensions that were made for Firefox on Android.

Aside from extensions, try to do what Brave does on Android on iOS: you can't. The limitations are not just the renderer. On Android they can ship their own chromium.
How is Mozilla limited by the platform from doing it better on Android? You simply can't do it with the mandatory WebKit stuff.
> And you can set Chrome/Edge as defaults on both iOS and macOS. Tell me how this limits real browser choice.

Chrome on iOS is a skinned Safari. It's not real Chrome. Same for Edge.

How is forcing a shitty and limited "rendering engine" not limiting choice?

At risk of regulators forcing the issue, rumor says it may be changing but you are being disengenous if you don't think this isn't the same level of BS as IE bundling with Windows. "But we can skin IE to look like chrome" isn't choice

https://9to5mac.com/2023/02/07/new-iphone-browsers/

> "For example, the UK’s Competition and Markets Authority (CMA) found that:

> Apple bans alternatives to its own browser engine on its mobile devices; a restriction that is unique to Apple. The CMA is concerned this severely limits the potential for rival browsers to differentiate themselves from Safari (for example, on features such as speed and functionality) and limits Apple’s incentives to invest in its browser engine.

> This restriction also seriously inhibits the capability of web apps – apps that run on a browser rather than having to be individually downloaded – depriving consumers and businesses of the full benefits of this innovative technology."

edit: and I've ignored Mac OS because the conversation is clearly about iOS. If Mac OS had the same restrictions as the iOS (IE: you can install apps outside of the app store on your laptop) then we'd have the same conversation there.

A browser is much more than a rendering engine. Support for new features like openXR is something that iOS users are not allowed to choose.
Shitty is subjective. I'd personally pick Safari hands down over Chrome or Firefox or anything else.

Also many other companies follow a similar pattern, if not worse.

It came out in the Epic trial that 80% of App Store revenue comes from games. They would never be in the browser anyway.

Then most other apps that could just be websites don’t monetize through the App Store.

"They would never be in the browser"

If companies can install stuff outside of the app store to save a 30% a LARGE number of companies would absolutely do so. To say hamstringing the browser on iOS isn't a calculated choice to say "but you can install webapps* (* with shitty safari)" and then completely cock block web browser choice isn't a 100% calculated choice to limit consumer choice is a disingenuous lie.

"80%"

You think that Apple isn't going to hold onto the 20% come hook or crook? in any means necessary - including locking you to the App Store and the 30% cut - despite the fact that alternative payment methods are completely reasonable? and how much of that 80% is through games on the app store that REQUIRES a cut through their ham fisted and unreasonable restrictions? That's even more reason to give consumers and companies options outside of the app store and the mafia requirement for a cut.

> If companies can install stuff outside of the app store to save a 30% a LARGE number of companies would absolutely do so.

Again your banking app and even apps like Facebook and Reddit and most of the other apps that are not games, don’t monetize through the App Store. Even the large subscription streaming services like Netflix and Spotify don’t allow in-app purchases of subscriptions and haven’t for years.

> payment methods are completely reasonable? and how much of that 80% is through games on the app store that REQUIRES a cut through their ham fisted and unreasonable restrictions?

Your rant has absolutely nothing to do with whether if Safari was “better” would most of the revenue from the App Store - ie games - would move to the web.

That same 30% is what Google charges and around the same as what console maker charges.

Epic tried to move out of the Google Play store. It was an abject failure. Why do you think that Android app makers try to monetize outside of the Play Store?

> Your rant has absolutely nothing to do with whether if Safari was “better”

it absolutely has to do with Safari as the alternative - webapps. aka installing apps on the iOS outside of the app store - is absolutely hamstrung by requiring a bloated and dated "webkit".

100% on point to Apple holding back alternatives to lock people into their store.

"why"

30% cut of millions that isn't needed for large developers. You know? that 80% that you say because games are locked into the app store and the 30% cut.

Would games use a browser instead? Where are all of the great profitable web based games for Android? If the Android browser experience is so much better, then why are there hardly any apps that are iOS and web only so they can avoid the “Google tax”?

The entire idea that makes games so popular is that it’s easy to capture whales because of the easy payments. Are you really complaining that poor little Candy Crush and their ilk have to pay 30% to sell loot boxes and gems?

Yes and web apps and Electron apps are so great on other platforms. Especially seeing the piss poor hardware that most Android phones are running.

BTW, iOS/Safari wins every single web browsing benchmark out there.

"would games use a browser" they shouldn't need to consider it but they are forced by the mafia into giving the don their cut.

"are you complaining" are you defending mafia tactics to take a house cut that's way beyond reasonable? doesn't matter if it's "poor little candy crush" or not... I'm arguing against unreasonable market force - just like I'll argue against MS's IE/Edge bundling and Google forcing their platform.

Your deflections just show that you know I'm making a point - androids "piss poor hardware" has nothing to do with Apple using mafia tactics to gouge their customers.

Web Apps and Electron shouldn't be needed - companies should be able to use alternative payment methods. They also shouldn't be tied to shitty webkit with it's outdated, insecure and lackluster implementation.

and "safari wins benchmarks" is a lie - unless you're talking about the furthest behind and most insecure.

https://www.wired.com/story/safari-flaws-webcam-online-accou...

https://www.computerworld.com/article/2531350/apple-s-safari...

But don't let facts get in the way of the stock in Apple you own...

What does two articles about security flaws have to do with which browser is the fastest - ie “wins benchmarks”? And what does your ranting about the App Store have to do with an article about a web browser? Apple patched the flaw over a year ago are you claiming that Android has no security flaws?

Do you really want to die on the hill of how far back Apple supports devices with security updates compared to Google? (Hint: Apple released a patch for the iPhone 5s that was released in 2013 earlier this year)

The “mafia tactics” is the same percentage that Google takes and the same percentage the same game makers pay on Google.

Again, the article is about “web browsers”. Even if the Firefox engine or a third party engine were allowed on iOS - it would have no effect on the vast majority of App Store revenue since it comes from games.

"what's it have to do with" fastest is not best when it's the most insecure and furthest behind - to the point that it's holding back the internet like IE was back in the day. the fastest piece of shit car is still a piece of shit car.

"support" more support of an insecure, antiquated and unsafe browser is still support of a bad browser.

"same % as google" google does it because Apple did it and didn't get blocked. AKA: price fixing and market collusion. both should be blocked from it.

"it would have no effect" you are saying that alternatives wouldn't affect the price? You're full of...

competition would absolutely affect prices and alternatives would absolutely give real competition.

just because Apple supports the 5s with a shitty and limited browser that's faster but still hamstrung (your attempted points about Saint Apple and the Holy Safari) ... that doesn't change the fact that competition would lower prices as that 80% would absolutely be cut into by a massive number of companies that don't want to give the mafia a 30% cut.

Watch how those numbers change as Apple is FORCED to allow alternatives to their shitty options and their mafia tactics are countered.

https://mashable.com/article/apple-allow-third-party-app-sto...

"Apple will allow third-party app stores, because the EU is playing hardball Is this the end of the 30-percent App Store commission?"

> what's it have to do with" fastest is not best when it's the most insecure

So it’s the “most insecure” because you found two security issues that were patched? Other browsers never had security issues?

But you’re going back on your original statement that it isn’t the fastest.

> support" more support of an insecure, antiquated and unsafe browser is still support of a bad browser.

And it’s “bad” even though the competing browser on Android - Chrome - is slower, doesn’t support plug ins, and is by definition less secure since Google drops support for old phones?

> same % as google" google does it because Apple did it and didn't get blocked. AKA: price fixing and market collusion. both should be blocked from it.

Now it’s Apple’s fault that Google also charges 30% as well as the console makers?

> it would have no effect" you are saying that alternatives wouldn't affect the price? You're full of...

How would alternative browsers affect the price of apps that would never be in the browser? Another point is that there are alternatives on Android and Google still charges 30%. How did going outside of the Google Play Store workout for Epic?

> just because Apple supports the 5s with a shitty and limited browser that's faster but still hamstrung (your attempted points about Saint Apple and the Holy Safari) ... that doesn't change the fact that competition would lower prices as that 80% would absolutely be cut into by a massive number of companies that don't want to give the mafia a 30% cut.

Yet it doesn’t cause lower prices on Android…

> Apple will allow third-party app stores, because the EU is playing hardball Is this the end of the 30-percent App Store commission?"

And yet Apple didn’t announce anything at WWDC….

> I use uBlock Origin on Firefox on Android with "Actually Legitimate URL Shortener Tool" added

That's the problem. This is too complicated/too much trouble for the end user who just uses his iPhone via Safari. Do they the privacy and all that? Yes, will they go out of their way with all that trouble? No.

While you're not wrong that it's a company A fighting company B with users as pawns, it still is a win for the normal end user.

> Maybe it's because I think Apple is slowly building a parallel advertising ecosystem that is slightly less intrusive for users but massively more lucrative for themselves.

No. It's probably just because Apple is slowly building a parallel advertising ecosystem that is slightly less intrusive for users but massively more lucrative for themselves.

If there are two warring corporations, and one of them has a warfare strategy based on selling its customers tools to prevent the other corporation from tracking their content consumption, then sign me up for battle. I know which corporation I want to support.
False dichotomy
Why?
[flagged]
brave new world indeed
Capitalism isn't the only economic system with corporations.
Apple sells ads, so they’re financially motivated to track you just like the other ad companies. They might promise to not track us, but unless they’re audited by a 3rd party, we can’t assume they’re telling the truth.
AFAIK, Apple only sells ads within their own products. Meanwhile, I trust a company with $2.8T to lose more than almost any other actor to abide by the letter of their agreements.
>I trust a company with $2.8T to lose more than almost any other actor to abide by the letter of their agreements.

Woah, do not do this. Don't you remember the Butterfly keyboard denials, the 'holding the phone wrong', etc...?

The only reason you have trust is because they are the best company at marketing of all time. You were manipulated into trusting them. That is a huge red flag.

Don't blame me! I voted for Kodos!
I agree.

And in the end they are manipulating links. While no advocate for ads, this has implications on the freedom of the internet.

No, they are allowing users to manipulate links. Also, this only happens in Private Browsing mode.
Browsers are/were User Agents. The focus should be on maximizing that experience across the board.
I have no problems with corporations eating each other alive as long as the end result is less surveillance capitalism.
Nah. This is like popup blocking: it should be standard and on by default in every browser, with an option to turn it off if you don't want it.
> If a user opts to kneecap advertising, that is soundly within their rights.

If it is a switch somewhere with the user actually getting a choice, then it is the user choosing it and Apple is just providing a mean to do it. Exactly like when the user chooses to install an extension, except that this is much easier, and therefore much more likely to be used because users hate tracking. This is well documented.

Is there a good reason why Firefox should not ship with uBlock Origin by default (with the option to disable it)?
... I built that into my RSS reader
Isn't this a cat and a mouse game? The moment this actually start causing problems they will change how parameters work. Maybe the easiest would be to use a single encoded parameter which would be decoded on the server and Apple or anyone else won't be able to change a thing about it.

This is a MITM attack where Apple plays the good guy(or control freak, depending on how you feel about it) but MITM attacks are nothing new.

Apple is pushing PCM (private click measurement) as a middle safe ground, but nobody would adopt it if more invasive and accurate measures continued working.

They're probably hoping that advertisers will retreat to PCM instead of continuing the cat and mouse game.

PCM is an in-progress standard that, at a high level, allows measuring ad campaign success without tracking individual users. No such restrictions apply to query parameters, of course - so PCM is inherently more private.

Agreed. More simply couldn't any ad tracker just have a dynamic parameter name so it's impossible to distinguish between a parameter required to run the site and a parameter used for tracking?

Or is this feature more advanced than just stripping known tracking parameter keys?

Doesn't even have to be a parameter. Could just be a unique URL slug for every link. Backend DB will map the slugs to a user + content
I believe Tiktok basically does that already.
It’s easy enough to encode item IDs (e.g. the ID of a video) with various tracking data in a way that only the website itself can separate them. Decoding can be done at the CDN level, e.g. Cloudfront Functions.
True but is all that work and processing worth it? It needs to function on a mass scale.

CF functions are cheap, but at scale it's more than an irritant.

The net effect of this Apple "privacy" stuff is to make it very hard for small niche businesses with a limited budget to advertise effectively. There were tons of startup CPG brands like Dollar Shave Club that popped up during the great Facebook Ad banaza of the mid 2010s when tracking worked. This privacy crusade has just essentially cemented the big brands who can afford to do poorly targeted ad campaigns like TV advertising.
Honestly, I don't want any company to track me, neither big nor small.
This is barely privacy related, its more like an anti-referal system.
Whatever. I don't want them tracking me for any reason. If that kills a bunch of startups so be it.
They can advertise without tracking people. Maybe on websites the readers of which are a good fit for their products.

One wonders how any product launched or small business survived prior to the current millennium.

If your business dies because you can't track every micrometer of my mouse movements, then I'm one happy camper personally, good riddance.
Won't work with unique links like reddit or Instagram for content. Maybe just the share ID or device params might go
In my testing, the tracking parameter removal in Safari 17 seems very limited. It'll be interesting to see if this turns up in the WebKit open source, to see how it's implemented.
Question:

When I click in my Gmail android app on a link from a received E-Mail, the opened Firefox browser opens a google domain for a second and only after that the domain from the link opens... any idea what that is? Tracking?

Google bounces all URLs through a redirector which strips referrer information and also allows them to warn about malware sites that were identified after the message itself was classified and delivered.
I would like to test that but when clicking different links I get mixed results. The URLs get modified alright but a lot of referrer info seems to not get removed.

I guess its just Google collecting one more metric.

i think this is to remove real referer url from header, as this behavior is also present when you use web version of Gmail.

but with that solution tracking is also possible

(comment deleted)
It's for security. Checking against a list of banned URLs, etc. When you have user-submitted content, protecting your users from bad URLs is important.

Also, I'm sure they're doing plenty of click tracking too :)

Google Ads sent an email out to advertisers (a few days ago I think) introducing their workaround.

Normally clicks have a "gclid" query param. Google is introducing 2 new query params to somehow attribute clicks using modeling + machine learning (somehow).

Edit: here's a detailed description of how Google is attempting to track conversions using machine learning. I have no idea how this could possibly work without some kind of fingerprinting or user profiling or IP address. Almost feels like "modeled conversions" powered by ML is a way to do fingerprinting without explicitly having an algorithm that blatantly uses fingerprinting.

https://support.google.com/analytics/answer/10710245?sjid=85...

Edit 2: The new query params are "gbraid" and "wbraid". Googling those turns up more details.

It is not a work around in the sense that they will be able to track you, they won't.

What Google tells them that if they use Analytics 4, they can use modelling to give attribution of convertion. In this case, attribution means not fingerprinting but percentage of people that was converted thanks to Ads. For other analytic engines they set the fields as 'not set'.

They day that in their models they aggregate data as geo, IP, and others and they won't give the fingerprinting data. The only problem is that they don't give details on the privacy preservation of their ML models. This means that if they fuck it up and give to much information, someone could try to reverse the aggregation (like doing a deconvolution) and do some fingerprinting.

Easy work around is encrypt the data into the path decode the data server side and do a server to server beacon call. no ad blocker technique is going to be able to block it. apple is just making the industry step through more hoops. all the beacon calls are going to server to server before this.
My favorite part about this is how it basically forces services to accept this as a functional scenario.

If it were UBlock Origin doing this, sites could just say "Sorry, we don't support this, your addin is breaking everything, please turn it off."

But when Apple does something, there's no room for conversation. Sites can't say "Sorry, we don't work on iPhones." For better or worse, what Apple decides becomes acceptable. In this case for better.

But when Apple does something, there's no room for conversation. Sites can't say "Sorry, we don't work on iPhones."

Absolutely. There was no shortage of Windows-centric corporate IT departments that swore that they'd never support Apple products.

Then iPhones started showing up in boardrooms, and they quickly changed their tune.

I brought my iPhone to work shortly after launch and showed it to curious coworkers. The head of IT for that particular multinational corp said it was garbage and would never be allowed on his network. "Apple is crapple" was his favorite phrase.

A few months later he got to peddle his anti-Apple mantra on the unemployment line.

In fairness to the people who fired him, fanboy-ism has no place in the dispassionate decision making process of a professional. You have to have people around who are making decisions based on realities and not mantras or you're going to lose money.

If he wants a job where fanboy-ism can be helpful in climbing the ladder, he should try politics or something like that. Where all the money on the line belongs to other people. So no one really works to protect any of it.

Wow, are you seriously crowing about someone getting fired for not liking a particular company?
We shouldn’t crow about people being fired. But I’ve had that anti-Apple attitude leveraged at me in _so many meetings_. Having to smile and be polite to the face of people who keep referring to your choice of hardware as “fisher price” or “a toy” or “for sheep” is tiring and infuriating. I’m an engineer, and I made my decision with as much technical and design knowledge as anyone else

In my experience it’s also extremely one sided. I work with Windows, Android and Apple colleagues and the amount of times I hear “Xcode is crap haha”, “How can they live with such a shitty OS” etc. makes me wonder if all this is rooted in deep insecurity or something? Some Windows-centric people in senior management places I have worked will use me taking my iPhone out of my pocket as an opportunity to criticise the platform, my choice, and so on

I’m sure that some Apple users are quick to do the same, but in my experience they just tend to get on with their lives

Well, actually this might break a significant portion of the internet/websites for iPhone users.
I wonder can they tell the difference between tracking params and good old unobtrusive query params?
Ultimately I don't think they can. How would they handle a link like `https://example.com/password_reset?prid=ZXhhbXBsZWNsaWNraWQ`?

I'm sure somebody will figure out a way to use multiple seemingly-legitimate parameters to get the same result. Why use ?click_id=aqNERjsdfyqe when you can use ?category=10612550&subcategory=5929127&page=4257344 and transfer the same data without arousing suspicion?

Websites can use a single lengthy encrypted parameter to encode everything (query params and tracking data). And then what.. will they break all website links by removing the parameter?
Turn on iCloud private internet (apples vpn) and Google will make you do captchas all day long whenever they feel like it. I use DDG now, but Google really wants to track you.
> My favorite part about this is how it basically forces services to accept this as a functional scenario.

Maybe some services will accept it, but others will not. When I tried to sign in to Microsoft Teams from Safari yesterday it presented a screen that said that Teams will only load on Safari if I disable tracking prevention for the Teams site. So unless users put additional pressures on services to offer support for Apple those services may just force users to accept tracking one way or another: either by disabling Safari's mitigations or using an alternative client that does not use such mitigations.

Oh no, I can’t use a useless Microsoft product in Safari! Jesting aside, it’s a bad example. No one is changing their browser so they can login to their employer’s shitty surveillance, oops, I mean communication platform.
In what world aren't they? Their employer's shitty web frameworks are why IE11 has been relevant for so long.

Your choices are 1) download the native application (with much more access to your system) 2) follow the instructions 3) open Chrome because realistically you probably already have it anyway or 4) lose your job to prove a point.

I like it! But I imagine we'll see Facebook etc using unique links for everything, without redirects.

e.g. Your Facebook page url appears to be facebookdotcom/1234 for me when I click it from the home page, facebookdotcom/5678 when I click it from a thumbnail and facebookdotcom/0987 when someone else clicks it

Sounds great, I already use an addon to do this, but its nice to fight against marketing whenever we can. Good to have more users doing this.

The only negative I can see, is that this might long-term reduce functionality. I personally have a bad habit of passing data through URLs out of laziness/practicality.

Real quick, could you not download an addon that did this before? If you could, this seems potentially malicious, need to keep everyone on the App store and hurt the web.

> this might long-term reduce functionality... passing data through URLs

Are you somehow passing the data within the tracking params? Don't worry, Apple isn't going to remove all QSPs. That would break the internet.

Your addon for this works because it's not widespread enough for the marketers to implement a workaround. Apple just changed that, so now the marketers will find a new way and your addon won't be effective.
Do they block Google from tracking which search results you click on? Google changes search results link on-click to make sure they know where you go... Just right-click on a link and then hover it to see where it really points to
Doesn't work for me, I'm on Chrome, no adblockers (disabled uBlock), maybe it's because I said no to tracking
Get ready for everything to be a redirect.

mysite.com/aZdi

instead of mysite.com/invitation/?uid=1234

In the end most of these have to end up at some sort of public URL. Only truly closed platforms like FB could really work around this, but anything that ultimately has a public URL will be pretty easy to find.
Not really, any website can implement a url scheme that makes url params unneeded. You see this all the time with SEO friendly stuff where mysite.com/cool-product/details is displaying the same thing that mysite.com/product/?product_id=124&view=detail

It's extra work, but it's not hard.

i think you missed my point though, even with that it still stands
Well Safari could remove the parameters on the fly before performing the redirect I guess?
Maybe. For the past few years I've had the pattern of making is so we can permalinks that carry all the parameters in the database... so if you click on https://mysite.com/uDFOD it might display the same thing that https://mysite.com/products/really-cool-product/?lotsa=param... whould, but there is nothing in the url that needs to be displayed. If your web app is hosting the redirect, you can just skip to C and respond with the correct body to the redirect url.
Good. I wish the internet would go the way of the Gemini Project and, by default have privacy-centric behavior. I'm tried to every company thinking I want to be tracked; I do not. I want simple services that do the thing I ask them to do and no more.
Wait what??

So now if there is a link to, say, mysite.com/f/ajdheke and the last part is different for each user, and I choose to send this link to a friend, then the friend will get mysite.com/f ? Breaking the site?

Apple is going too far with this. Cookies is one thing, but how are people supposed to confirm email addresses now, copypaste a code?

I assume that everybody will now start implementing user-unique URLs to share like TikTok, instead of just tacking on parameters to a single canonical URL.
Will it remove Amazon referral trackers? That could destroy a publishing sub-industry in one fell swoop.